Secure your web traffic; Why HTTPS is important

There are many ways to transmit information over the Internet from one place to another and all different systems use all different mechanisms and protocols to transmit data from point A to point B. Some are secure and some are less secure (or usually not at all). In this article, we’re going to focus primarily on the most common form of traffic; your standard, unencrypted HTTP web request.

Whenever you use your web browser to request a webpage, you send data to servers to make the request, receive the information about the webpage you’re visiting, and all of the data you input into that page and send back to the server. The protocol your browser uses is HTTP, or Hypertext Transfer Protocol. All said and done, this protocol is just text – just really hyper… text (sorry).

Your requests are sent as text and the server’s responses are also sent as text. Granted, it might be in web code like HTML, or Hypertext Markup Language, but it’s text nonetheless. When you type www.hermeticnetworks.com in your web browser, your browser sends a GET request to the server responsible for hosting that page and it responds in kind with the files it hosts for it. Whatever is sent back is put together by your browser to make up the page you’re looking for. All of this is done over port 80 – always.

This image shows what an unencrypted HTTP transmission looks like over the wire. It’s all just plain text – you can see the URL the person has requested.

All of this is also completely unencrypted, which means when you send a GET requests, what goes over the wire to the server is literally the word “GET”. There’s nothing fancy about it. Check out the image to the left – it’s a recording of all the information passed through a network at one given time using a free tool called Wireshark. It allows anyone to easily filter out specific protocols or computers to see exactly what is being transmitted to and from them. The image shows a filter for HTTP being applied to only data sent using that protocol. It looks a little weird, but if you look closely you can clearly see a request from a computer going to Youtube for a specific video. Without having access to the computer making the request or the server fulfilling the request, we can see, in plain text, exactly what’s being sent and received. Not cool, right?

The entire protocol works this way, which is why it’s not appropriate for sending or receiving sensitive information. In between you and the server you’re requesting data from – wherever it may be in the world – that information is plain text and readable by anyone. Now think about doing that in a public place – Starbucks, the airport, Panera, or wherever else you connect to public wifi. All that data could potentially be listened to and seen without you even knowing before it even leaves the building, let alone later down the line.

Enter HTTPS. Using the same protocol, HTTPS, or Hypertext Transfer Protocol Secure, uses a different channel (port 443) to send and receive information only after your computer negotiates an encryption type with the requested server. Once the two agree on how to talk to each other securely, standard HTTP information is passed back and forth in a manner that, relatively, can’t be decrypted by someone listening in on the transmission. More on that in a bit.

The main objectives of negotiating encryption are:

Verifying that the server you’re talking to is the one you actually want to be talking to and not an imposter

Ensuring that only your computer and the server can understand the information sent between the two

Once you request a website using HTTPS, your computer and the server go through a “handshake” process to establish the baseline of how the communication will work. The process goes like this:

Your computer sends a ClientHello message to the server to begin the handshake process. It will also send a list of all the different encryption methods it currently supports. Let’s just hope you keep it updated and it supports the strongest types.

The server proves its identity by presenting its SSL certificate, a small file that is issued by a trusted third-party called a Certificate Authority. Most domain registrars issue SSL certificates and many act as Certificate Authorities, but many just resell certificates from VeriSign, Comodo, DigiCert, and GeoTrust – the idea being that you should trust those big guys to validate other servers and verify their identity.

Using information sent over in your ClientHello message, the two parties send each other keys for encryption and decryption using an algorithm supported by both. The specifics are interesting, but we don’t go in depth here.

This image shows encrypted traffic moving over the wire. You can see it’s very different from before, with everything just showing up as random, unreadable text.

It’s only after this process is complete that your computer and the server begin sending HTTP information back and forth using encryption. As you can see from the image on the right, looking at the sent data using Wireshark now displays a whole big pile of nonsense. It can be very difficult to decrypt if the two systems are using up to date standards. Older or out of date computers and software can use outdated and easily crackable forms of encryption, making it all the more important to keep computers, servers, and mobile devices updated regularly.

So now, after taking a look at the data that’s sent and received, which do you want to be sending your usernames, passwords, banking information, and personal data over? It’s incredibly important, now more than ever, to make sure strong security is used whenever communicating anything other than casual conversations. It can be difficult to know how, though, without having a keen eye for what’s happening in your browser, though. Yes, the address bar changes colors or the page makes you click a bunch of security warnings before letting you onto a page that might not pass all the bullet points we talked about above, but one of the most common complaints we get is that it all changes so quickly, it’s impossible to know what’s secure and what’s just a needless warning message.

For that reason, we typically recommend HTTPS Everywhere. It’s a small browser extension made by our friends at the EFF (Electronic Frontier Foundation) that checks to see if the site you’re visiting allows secure connections and then redirecting you, every time, to the HTTPS site as opposed to the HTTP site. It’s free and it works totally in the background – it’s definitely worth installing. Most popular sites are activating HTTPS by default now (banks, Facebook, etc.) but we’re not all the way there yet, so it’s important to know the difference between plain text and encrypted traffic. Because knowing is half the battle!

And that’s our quick look into the differences between encrypted and unencrypted web traffic and why it’s important to always use HTTPS where available. We’ll go more in depth another day, but for now just keep it in mind the next time you fill out a web form.